CVE-2023-35086 – A format string vulnerability in ASUS RT-AX56U ... (How to Fix)

Q: What is the severity of CVE-2023-35086?

CVE-2023-35086 has a CVSS score of 7.2 (HIGH). A format string vulnerability in ASUS RT-AX56U V2 and RT-AC86U routers allows remote attackers with administrator privileges to execute arbitrary code or disrupt services. The vulnerability occurs when user input is directly passed to syslog without proper sanitization in the httpd service. This affects specific firmware versions of these router models.

📋 TL;DR

A format string vulnerability in ASUS RT-AX56U V2 and RT-AC86U routers allows remote attackers with administrator privileges to execute arbitrary code or disrupt services. The vulnerability occurs when user input is directly passed to syslog without proper sanitization in the httpd service. This affects specific firmware versions of these router models.

💻 Affected Systems

Products:

ASUS RT-AX56U V2
ASUS RT-AC86U

Versions: RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529

Operating Systems: ASUSWRT firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator privilege to exploit. Affects the httpd service handling web interface requests.

📦 What is this software?

Rt Ac86u Firmware by Asus

View all CVEs affecting Rt Ac86u Firmware →

Rt Ax56u V2 Firmware by Asus

View all CVEs affecting Rt Ax56u V2 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full control of the router, can modify configurations, intercept traffic, install persistent malware, or use the device as a pivot point into the internal network.

🟠

Likely Case

Attacker executes arbitrary code to disrupt router services, modify DNS settings, or steal credentials from connected devices.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to the router itself without lateral movement into the broader network.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires administrator credentials. Format string vulnerabilities typically allow memory corruption leading to code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check ASUS security advisory for latest patched versions

Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-7240-a5f96-1.html

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to Administration > Firmware Upgrade. 3. Check for updates. 4. If update available, download and install. 5. Router will reboot automatically.

🔧 Temporary Workarounds

Disable remote administration

all

Prevents external attackers from accessing the web interface

In web interface: Advanced Settings > Administration > System > Enable Web Access from WAN: No

Change default credentials

all

Use strong, unique administrator password

In web interface: Advanced Settings > Administration > System > Change router login password

🧯 If You Can't Patch

Segment router on isolated network segment
Implement strict firewall rules limiting access to router management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface: Advanced Settings > Administration > Firmware Upgrade

Check Version:

ssh admin@router_ip 'nvram get buildno' or check web interface

Verify Fix Applied:

Verify firmware version is newer than affected versions listed in advisory

📡 Detection & Monitoring

Log Indicators:

Unusual syslog format string patterns
Multiple failed login attempts followed by successful login

Network Indicators:

Unusual outbound connections from router
Traffic to unexpected destinations

SIEM Query:

source="router_syslog" AND (message="*%n*" OR message="*%s*" OR message="*%x*")

📊 Metadata

CVE ID: CVE-2023-35086

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-134

Published: July 21, 2023

Last Updated: November 21, 2024

🔗 References

https://www.twcert.org.tw/tw/cp-132-7240-a5f96-1.html Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-7240-a5f96-1.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35086, you might also want to check these: